@defuse-protocol/intents-sdk

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

cawabunga_aurora

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:omni-bridge-sdk	AI (phantom-deps): omni-bridge-sdk is a declared dependency used via config/re-export pattern; stable false positive for this package.	ai	2026/06/02
publish-pattern	new-deps-added	AI (publish-pattern): New deps are established ecosystem packages (solana/web3.js, valibot, etc.) consistent with multi-chain SDK expansion.	ai	2026/06/01
source-diff	large-new-source-files	AI (source-diff): SDK bundles chain-specific deps (Solana, NEAR) into dist/node_modules; large file counts are expected for this package.	ai	2026/05/31
source-diff	source-size-tripled	AI (source-diff): Size growth driven by bundled @solana/web3.js and related libs; consistent with expanding multi-chain SDK scope.	ai	2026/05/31
provenance	no-provenance	AI (provenance): Established package with 108 versions; provenance not historically used, low risk.	ai	2026/05/30
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of human maintainer consistent with migration to automated CI/CD publishing via GitHub Actions.	ai	2026/05/29
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation is a legitimate and more secure publishing pattern for this org.	ai	2026/05/29
phantom-deps	phantom-dep:@near-js/keystores	AI (phantom-deps): NEAR SDK deps referenced in config/type files; stable false positive for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@near-js/accounts	AI (phantom-deps): NEAR SDK deps referenced in config/type files; stable false positive for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@near-js/client	AI (phantom-deps): NEAR SDK deps referenced in config/type files; stable false positive for this package.	ai	2026/05/04
phantom-deps	phantom-dep:@lifeomic/attempt	AI (phantom-deps): @lifeomic/attempt is a declared runtime dep; phantom-dep heuristic fires incorrectly for bundled SDK packages.	ai	2026/04/29

Versions (showing 51 of 77)

View all versions

Version	Deps	Published
0.67.1	16 / 2	2026-05-29
0.67.0	16 / 2	2026-05-26
0.66.1	16 / 2	2026-05-20
0.66.0	16 / 2	2026-05-20
0.65.0	16 / 2	2026-05-19
0.64.1	16 / 2	2026-05-14
0.64.0	16 / 1	2026-05-14
0.63.2	16 / 1	2026-05-13
0.63.1	16 / 1	2026-05-12
0.63.0	16 / 1	2026-05-11
0.62.2	16 / 1	2026-05-09
0.62.1	16 / 1	2026-04-30
0.62.0	16 / 1	2026-04-30
0.61.0	16 / 1	2026-04-29
0.60.0	16 / 1	2026-04-14
0.59.1	16 / 1	2026-04-13
0.59.0	16 / 1	2026-04-12
0.58.2	16 / 1	2026-04-01
0.58.1	16 / 1	2026-03-31
0.58.0	16 / 1	2026-03-19
0.57.0	16 / 1	2026-03-12
0.56.1	16 / 1	2026-03-04
0.56.0	16 / 1	2026-03-04
0.55.1	16 / 1	2026-02-25
0.55.0	16 / 1	2026-02-24
0.54.0	16 / 1	2026-02-24
0.53.3	16 / 1	2026-02-19
0.53.2	16 / 1	2026-02-16
0.53.1	16 / 1	2026-02-15
0.53.0	16 / 1	2026-02-13
0.52.0	16 / 1	2026-02-11
0.51.0	16 / 1	2026-02-04
0.50.0	16 / 1	2026-02-04
0.49.0	18 / 1	2026-02-03
0.48.0	18 / 1	2026-01-30
0.47.0	18 / 1	2026-01-29
0.46.0	18 / 1	2026-01-21
0.45.0	18 / 1	2026-01-09
0.44.0	18 / 1	2026-01-08
0.43.3	18 / 2	2025-12-10
0.43.1	18 / 2	2025-12-08
0.43.0	18 / 2	2025-12-08
0.39.1	18 / 2	2025-12-02
0.39.0	18 / 2	2025-12-02
0.38.1	18 / 2	2025-11-28
0.37.0	18 / 2	2025-11-25
0.36.1	18 / 2	2025-11-24
0.34.0	18 / 2	2025-11-22
0.33.2	18 / 2	2025-11-21
0.33.0	18 / 2	2025-11-15
0.31.0	18 / 2	2025-11-05

v0.67.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.67.0

2 findings

HIGH Publisher changed: cawabunga_aurora → GitHub Actions (on 2026-05-26) provenance

This version was published by a different npm account than previous versions on 2026-05-26. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.66.1

2 findings

HIGH Publisher changed: cawabunga_aurora → GitHub Actions (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.66.0

2 findings

HIGH Publisher changed: cawabunga_aurora → GitHub Actions (on 2026-05-20) provenance

This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.